€114 million in fines have been imposed by European authorities under GDPR
Over 160,000 data breach notifications have been reported across the 28 European Union Member States plus Norway, Iceland and Liechtenstein since the GDPR came into force on 25th May 2018. According to DLA Piper's latest GDPR Data Breach Survey, data protection regulators have imposed €114 million in fines under the GDPR regime for a wide range of GDPR infringements, not just for data breach. A further €329 million in fines have been threatened by the UK regulator.
Finland has reported 6355 data breaches notified to regulators, ranking it 8th overall in the survey. It has issued no fines to date. Of the Nordic countries, Finland stands in the middle; Denmark and Sweden have reported more data breaches than Finland (9806 and 7333 respectively) whereas Norway and Iceland have reported fewer incident (2824 and 338 respectively). The Netherlands, Germany and the UK topped the table for the number of data breaches notified to regulators with 40,647, 37,636 and 22,181 notifications each. France, Germany and Austria top the rankings for the total value of GDPR fines imposed with just over €51 million, €24.5 million and €18 million respectively. By 17 January 2020, Norway, Denmark and Sweden have imposed GDPR fines, total value of which is €819,840.
The daily rate of breach notifications has also increased by 12.6% from 247 notifications per day for the first eight months of GDPR from 25 May 2018 to 27 January 2019, to 278 breach notifications per day for the current year.
Weighting the results against country populations, Finland reported 71.11 breaches per 100,000 people for the period of 28 January 2019 to 27 January 2020, up from 45.1 per 100,000 people last year. This ranks Finland 5th this year compared to 4th last year. The Netherlands again came top with 147.2 reported breaches per 100,000 people, up from 89.8 per 100,000 people last year, followed by Ireland and Denmark. Italy, Romania and Greece reported the fewest number of breaches per capita. Italy, a country with a population of over 62 million people, only recorded 1886 data breach notifications illustrating the cultural differences in approach to breach notification.
The highest GDPR fine to date was €50 million imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent, rather than for data breach. Following two high profile data breaches, the UK ICO published two notices of intent to impose fines in July 2019 totalling £282 million (approximately €329 million) although neither of these were finalised as at the date of this report.
Commenting on the report, DLA Piper’s IP and Technology Partner in Finland Sami Rintala said: “The rate of breach notifications in Finland has increased on a year-over-year basis. We see the increase to be driven mainly by two factors; a higher awareness of data security and privacy in general, and organisations’ challenges in interpretation of the regulatory requirements on how to determine whether a particular security deviation needs to be notified to the supervisory authorities or not. Many organisations end up notifying just to be on the safe side.”
Patrick Van Eecke, chair of DLA Piper's international data protection practice, said "The early GDPR fines raise many questions. Ask two different regulators how GDPR fines should be calculated and you will get two different answers. We are years away from having legal certainty on this crucial question, but one thing is for certain, we can expect to see many more fines and appeals over the coming years."
N.B. Not all Member States of the European Economic Area make breach notification statistics publicly available. Many have only provided statistics for part of the period covered by this report so the figures have been rounded up and in some cases extrapolated to provide best approximations. Similarly not all GDPR fines are made public.